Tripwire Cures Virtual Misconfiguration

Misconfiguring your system can lead to trouble, as any seasoned system administrator knows, and that is as much of a problem in the virtual world as in the physical.

The chances of misconfiguring virtual systems are much higher, though, because virtualization is a new technology.

But help is at hand. Configuration assessment and change auditing vendor Tripwire has created a free utility, ConfigCheck, that can analyze and validate the configuration of a VMware ESX hypervisor .

When a misconfiguration is detected, users can click on a VMware

"VMware has a very secure environment, but it could be misconfigured in such a fashion that it could pose some security risks," Mark Gaydos, Tripwire's vice president of marketing, told InternetNews.com.

Misconfiguration is one of the biggest security issues customers need to think about when running any enterprise software, including ESX, Nand Mulchandani, VMware's senior director, product management and marketing, told InternetNews.com.

"There haven't been any attacks against the hypervisor that could be demonstrated to break through, but misconfiguration could put you in a situation where you can get attacked even if you have no vulnerabilities or are fully patched," he added.

There are about 100 configuration settings in VMware that need to be set to ensure the most hardened environment possible, and these have, up to now, had to be manually checked.

"We have so many detailed settings people need to think about" and using ConfigCheck regularly will help "rapidly address any issues that come out of that," Mulchandani said.

VMware considers misconfiguration "a public health issue" for its customer base, so it's "spending a lot of time to raise customers' awareness" in this area, Mulchandani said.

Keep it simple

However, Kurt Roemer, chairman, chief technology officer and chief security strategist at VMware archrival Citrix (NASDAQ: CTXS), thinks having up to 100 configuration options for a hypervisor is unnecessary.

"It's strange that a product that should have inherent security should have so many choices you need to rectify for hardening," he told InternetNews.com.

Citrix ships its XenServer hypervisor "so that it's secure out of the box, we don't provide a lot of knobs for customers to go perturb the security," said Benn Schreiber, the company's senior director of business development. "We've eliminated a lot of children's playing with the toys and messing things up."

Modifications to XenServer are made using its application programming interface (API), its GUI and its XenCenter management console "and you cannot mess things up," Schreiber added.

Sun Microsystems uses the same strategy as Citrix. "Sun's approach is to minimize the possibility of misconfiguring the hypervisor," Vijay Sarathy, senior director of marketing for Sun xVM, told InternetNews.com.

For example, its xVM Server hypervisor, due out this summer in beta, will come as a preconfigured software appliance with secure default settings, Sarathy said.

It will also provide "well-defined interfaces, specifically through a browser-based management console" for administration and will have a self-update capability, Sarathy added.

While Tripwire's utility "probably gives customers a sense of security," it will itself need to be updated regularly to keep pace with VMware's technology advances, and that will add to customers' burdens because they'll also have to keep track of the utility, Schreiber said.

According to him, VMware requires a high number of configuration settings because its hypervisor "can run on virtually any processor," whereas XenServer doesn't because it has been designed to run well on the newer processors from Intel and AMD, which incorporate virtualization.

"You need the new processors to run Windows anyway, and we take advantage of the new technology," Schreiber added.